Apache Slowloris DoS is Nasty - Protection Guide in Works
The Apache SlowLoris DoS is a pretty nasty thing. If you are running Apache (who isn't) then I strongly recommend you look carefully at the link above, learn about how this exploit works, and ensure that your infrastructure is safe.
If you are running Apache or IBM Web servers that are directly exposed to the Web, you are vulnerable. If you have a load balancer in front of your Web site (most of us don't) you may still be vulnerable. Your load balancer needs to be configured to protect against this DoS, many (including Cisco) need to be told to do so and do not protect by default. So test to ensure your infrastructure is protected.
From what I've read, if you have a squid proxy in front of Apache, you should be safe, but we have not confirmed this yet.
I'm planning to get a SlowLoris Protection Guide available early next week which will help to provide detailed information on how to protect against this particularly nasty DoS.
I also think that the Apache team's historical response to this very preventable issue has been horrendous - we all run Web servers in the real world, not some theoretical happy world, and it's Apache's job to ensure that it manages its own resources properly. For future Web-related efforts, I think I'm going to be avoiding Apache and looking at the Cherokee Web Server.
12 comments:
Hadn't heard of Cherokee as yet, thanks !
I've used Lighttpd as well for Apache 'substitution' in some cases. http://www.lighttpd.net/
The benchmark page at Cherokee sight is interesting...http://www.cherokee-project.com/benchmarks.html. Afaict, a current and well considered test strategy.
I usually use nginx as reverse proxy / load balancer or as a plain webserver (on normal configuration). So I have no problem
Timothy: cool. Just be very careful of SSL traffic. If Apache is decrypting the traffic, slowloris can still be effective, even if you have a load balancer in front.
Maybe a better way to say that is "if your load balancer/proxy is *not* decrypting the traffic, then slowloris can still be effective".
Cherokee is very good, i use it for long time now :)
Let me know when you get Cherokee up and running for Gentoo! I have no luck so far:
http://code.google.com/p/cherokee/issues/detail?id=512&q=crash
I am using Funtoo and Git to emerge --sync
Thanks for the fix Daniel! cherokee-0.99.19-r1 now starts up very smoothly and I can also login after doing cherokee-admin.
Please keep us posted if and when you switched to Cherokee. Interesting that you also patched Apache as a next step.
Do your computers go down easily? If so, this can cause you to lose a lot of money. Think about the costs associated with lost work. If you are experiencing this problem, you should look into getting a hardware load balancer. Definitely a cost effective way to help combat server issues. I use the loadmaster 2000 and it has worked out great...it was one of the cheapest ones i have found, but has really helped our company out in both saving money in the long run and with getting rid of the "downtime" that we were experiencing.
http://www.kemptechnologies.com/?utm_source=blog&utm_medium=pv&utm_content=zs&utm_campaign=home
If you get Cherokee on your Funtoo up and Working please post a howto or anything in that direction (it would be highly appreciated for all the Funtoo users ;). So far I could not manage to get Cherokee working on my Funtoo, I tried it with pmwiki (PHP Application) on my local Funtoo-Box. Please also see http://code.google.com/p/cherokee/issues/detail?id=515&start=100 for my configuration.
Somewhat unrelated but security related, please add a hardened-vserver funtoo to your regular builds. We all could use the strong security in that combination.
I haven't used Apache for many years and couldn't be happier.
Squid as a reverse proxy seems to be a good solution. The very slowloris's documentation says that squid isn't affected. From my point of view, squid may take the role of a "sofware load balancer" (as in the fact it may cause a sort of delayed binding effect). I think that the caching feature of squid (plus the fact it is not affected by slowloris's attack) would perform a nice defense layer. I'll try to play a little with all this stuff. I'll post any news.
Post a Comment